What is claimed is: 



CLAIMS 



1 . A method for digitally signing a message, the method comprising: 
providing a message digest (M x , M z ); 

providing a modulus N; 

providing a number V in the ring Z N , wherein for another number S 
in the ring Z N , V-S 2 =l in Z N ; 

solving the equation (M x + x) 2 - V-y 2 = 4-(M z + z) in Z N to produce 
x, y, and z; and 

assigning SIG as the signature of (M x , M z ), wherein SIG comprises 

(x,y). 

2. The method according to claim 1 and wherein SIG comprises 
(x,y,z). 

3. The method according to claim 1 and wherein the solving comprises 
the following: 

a) choosing a and (3 in Z such that 0 < a < p < 2 k_1 and gcd(a, p) = 

1 inZ; 

b) choosing y in Z such that 2 n " k_1 < y < 2 n " k and p | (a-N + y) in Z; 

c) setting R equal to (a-N + y) / p in Z; 

d) setting T equal to -(M z -R + M x + R" 1 ) in Z N ; 

e) if p = 1 or T < 8-y (in Z), setting U and W equal to 0 and 
continuing with step k; 

f) setting D equal a" 1 in Z p ; 

g) setting A equal to N / P in Z; 

h) setting B equal to (T - 8-y) / A in Z; 

i) setting U equal to BD in Z p ; 
j) setting W equal to U-R in Zn; 
k) setting C (T - W) / y in Z; 
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1) setting z equal to U + p-C in Z N ; 
m) setting x equal to T - z-R in Z N ; and 
n) setting y equal to S<x + M x + 2-R" 1 ) in Z N , 
thereby producing x, y, and z. 

4. The method according to claim 3 and also comprising: 
providing a trusted computation device and a non-trusted 

computation device, 

wherein step d) comprises performing a computation in the non- 
trusted computation device. 

5. The method according to claim 4 and wherein the computation in 
the non-trusted computation device comprises a computation of R" 1 . 

6. The method according to claim 5 and wherein the computation in 
the non-trusted computation device is protected from tampering by performing a 
blinding method in the trusted computation device. 

7. The method according to claim 6 and also comprising verifying a 
result of the computation in the non-trusted computation device. 

8. The method according to claim 3 and wherein step a) comprises 
screening a and p. 

9. The method according to claim 8 and wherein the screening 
comprises reducing a and (3 modulo 210. 

10. The method according to claim 9 and wherein the reducing a and 
P modulo 210 comprises: 

computing gcd(210, (a mod 210), (p mod 210)) to produce a result; 

and 
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rejecting a and (3 and choosing another a and p if the result is not 

equal to 1. 

1 1 . The method according to claim 1 and wherein the solving comprises 
the following: 

a) setting a equal to 0; 

b) setting (3 = 1; 

c) choosing y such that 2 n " k "' < y < 2 n " k ; 

d) setting T equal to -(M z -y + M x + y" 1 ) in Z N ; 

e) setting z equal to T / y in Z; 

f) setting x equal to T - z-y in Z N ; and 

g) setting y equal to S-(x + M x + 2-y" 1 ) in Z N , 
thereby producing x, y, and z. 

12. The method according to claim 1 1 and also comprising: 
providing a trusted computation device and a non-trusted 

computation device, 

wherein step d) comprises performing a computation in the non- 
trusted computation device. 

13. The method according to claim 12 and wherein the computation in 
the non-trusted computation device comprises a computation of y" 1 . 

14. The method according to claim 13 and wherein the computation in 
the non-trusted computation device is protected from tampering by performing a 
blinding method in the trusted computation device. 

15. The method according to claim 14 and also comprising verifying a 
result of the computation in the non-trusted computation device. 
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16. A message signer for digitally signing a message based on a 

message digest (M x , M z ), a modulus N, and a number V in the ring Z N , wherein 
for another number S in the ring Z N , V-S 2=: l in Z N , the message signer comprising: 

a solver for solving the equation (M x + x) 2 - V-y 2 = 4-(M z + z) in Z N 
to produce x, y, and z; and 

a signature assignor for assigning SIG as the signature of (M x , M z ), 
wherein SIG comprises (x,y). 
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